CN102193060B - Process and system for testing the integrated circuit device - Google Patents

Abstract

A process for testing an integrated circuit includes collecting a set of points of a physical property while the integrated circuit is executing a multiplication, dividing the set of points into a plurality subsets of lateral points, calculating an estimation of the value of the physical property for each subset, and applying to the subset of lateral points a step of horizontal transversal statistical processing by using the estimations of the value of the physical property, to verify a hypothesis about the variables manipulated by the integrated circuit.

Description

For the method and system of testing integrated circuits equipment

Technical field

Embodiments of the invention relate to the integrated circuit comprising multiplication function, and this multiplication function is configured to the component x at word x _iwith the component y of word y _imultiple basic multiplication step in perform the multiplying of these two binary word x and y.

Embodiments of the invention, in particular to the integrated circuit comprising external data processing capacity, at least comprise the execution of this external data processing capacity: the conditional branching forwarding at least the first multiplication step of binary word or the second multiplication step of binary word to.This conditional branching changes according to the private data of integrated circuit.

Embodiments of the invention are in particular to the process for testing such integrated circuit and system.

Embodiments of the invention also relate to the process of the integrated circuit for protecting the above-mentioned type for bypass analysis; and relate to a kind of countermeasure, it allows such integrated circuit by comprising qualification according to the test process of the embodiment of the present invention or verification process.

Background technology

Current, more and more senior safe processor can be found in chip card or other embedded system (such as usb key (flash drive), demoder and game console, and according to any trusted platform module TPM of general fashion).These processors according to integrated circuit form have 8 bit complex instruction set computer (CISC) (CISC) cores usually, or 8,16 or more bit Reduced Instruction Set Computer (RISC) cores, and now 32 bit processor are the most universal.Some integrated circuit also comprise the coprocessor being exclusively used in some cryptographic calculations, in particular for the arithmetic accelerator of asymmetric algorithm (such as Rivest, Shamir and Adleman (RSA), Digital Signature Algorithm (DSA), ECDSA (Elliptic Curve Digital Signature Algorithm) (ECDSA) etc.).

As an example, Fig. 1 shows at the upper safety integrated circuit CIC1 arranged of portable support handheld device (HD) (such as plastic clip or other supportive device any).This integrated circuit is comprised microprocessor MPC, input/output circuitry IOC or interface communication circuitry, is linked to storer M1, M2, M3 of microprocessor by data and address bus, and alternatively for the coprocessor CP1 of cryptographic calculations or arithmetic accelerator, and randomizer RGEN.Storer M1 is the storer of random access storage device (RAM) type containing volatibility application data.Storer M2 is the nonvolatile memory containing application program, such as EEPROM or flash memory.Storer M3 is the ROM (read-only memory) (ROM) of the operating system containing microprocessor.

Interface communication circuitry IOC can be such as according to the contact type (contact type) of ISO/IEC 7816 standard, such as according to the contactless type (contactless type) with inductive coupling of ISO/IEC 14443A/B or ISO/IEC 13693 standard, the effect of being played contactless type by electric coupling (UHF interface circuit), or both contact and contactless type (being claimed the integrated circuit of " combi (associating) ").Show in Fig. 1 that the interface circuit IOC for example is the contactless interface circuit of inductive coupling, it is equipped with the aerial coil AC1 for receiving magnetic field FLD.Field FLD is by itself being equipped with the card reader RD of aerial coil AC2 to launch.Circuit I OC comprises device for receiving the decode the data DTr launched by card reader RD and for encoding and launching the device of the data DTx provided by microprocessor MPC.It can also comprise for extracting the power source voltage Vcc of integrated circuit and the device of clock signal C K from magnetic field FLD.

In certain embodiments, integrated circuit CIC1 can be configured to: based on the Montgomery Algorithm (modular exponentiation) using privacy key d and crypto module n, encryption to the message m being sent to this integrated circuit, deciphering or signature operation is performed by cipher function (such as, password RSA function).

about the general introduction of Montgomery Algorithm

Montgomery Algorithm function has mathematical expression below:

m ^dmodulo(n)

M is input data, and d is index, and n is divisor.Therefore, Montgomery Algorithm function comprises the remainder of d power divided by n of calculating m.

Such function is used by various cryptographic algorithm (such as RSA Algorithm, DSA algorithm, the luxuriant and rich with fragrance Dorothy Holman (ECDH) of elliptic curve enlightening, ECDSA, EIGamal etc.).Then, data m is message for encrypting and index d is private cipher key.

Algorithm below can be used to realize such function (Montgomery Algorithm according to Barrett method):

Exponentiation algorithms:

Input:

"m"and"n"are integers such that m<n

"d"is an exponent of v bits such as d＝(d _v-1d _v-2...d ₀) ₂

Output:a＝m ^dmodulo n

Step 1:a＝1

Step 2:Pre-calculations of the Barrett reduction

Step 3:for s from 1to v do:

(Step 3A)a＝BRED(LIM(a,a),n)

(Step 3B)if d _v-s＝1

then a＝BRED(LIM(a,m),n)

Step 4:Return result a

Wherein, message m and mould n are integer (such as, 1024 bits, 2048 bits or more), and d is with the index (d of 2 v bits represented by substrate _v-1, d _v-2... d ₀), " LIM " is the multiplication function (" long integer multiplication ") of big integer (large integers), and " BRED " is the reduction according to Barrett method (reduction) function (" Barrett reduction ") being applied to LIM multiplication result.

In all integrated circuit as shown in Figure 1, such modulus-power algorithm can be performed by microprocessor MP or by coprocessor CP1.Alternatively, some steps of algorithm can be performed by microprocessor, and other step can be performed by coprocessor (if it is only arithmetic accelerator).Such as, the LIM multiplication of step 3A and 3B can be entrusted to coprocessor by microprocessor, or according to circumstances whole calculating can be entrusted to coprocessor.

In addition, be usually multiplied by by means of performing a to the multiplication function of binary word x and y the LIM multiplication that a (step 3A) or a is multiplied by m (step 3B) by integrated circuit.This multiplication comprises the component x of word x _i(a _i) with the component y of word y _j(a _jor m _j) multiple steps (i and j is iteration variable) of basic multiplication, to obtain the intermediate result of cascade, thus form the General Result of this multiplication.

the general introduction of bypass analysis

In order to verify by the level of security wanting business-like safety integrated circuit to provide, implement qualification or authentication test with industrial rank.Especially, test is implemented to assess the robustness that integrated circuit is the bypass analysis of the secret data finding integrated circuit for object.

Therefore, exponentiation algorithms is subject to such control.More particularly, the bypass analysis of modulus-power algorithm comprises: the step 3 of algorithm the term of execution, at each iteration place of the order s (rank s) of this step, is derived the value of index by " behavior " observing integrated circuit by bit.The object of this observation determines that considered step 3 only comprises step 3A or comprises step 3A and step 3B afterwards.

In a first scenario, the bit d of index can be derived _v-sequal 0.In the latter case, bit d can be derived _v-sequal 1.Carried out to step one by one by each iteration for s=1 to s=v, can infer for from 1 to v-1 s all bit d of index _v-s.Such as, during the first iteration of exponentiation algorithms, operation result:

LIM(a,a),LIM(a,m)

The first bit showing index is 1, and operation result:

LIM(a,a)LIM(a,a)

Following discovery is described: the first bit of index is 0.

In order to find next index bits, the character of computing below must be determined.Such as, if these computings are:

LIM(a,a)LIM(a,m)LIM(a,a)LIM(a,m)

Or:

LIM(a,a)LIM(a,a)LIM(a,m)

Then latter two computing LIM (a, a) LIM (a, m) shows that the second bit of index is 1.On the contrary, after computing below:

LIM(a,a)LIM(a,m)LIM(a,a)LIM(a,a)

LIM(a,a)LIM(a,m)LIM(a,a)LIM(a,a)

3rd computing LIM (a, a) shows that the second bit of index is 0 because after it be LIM (a, a) instead of LIM (a, m).

Thus, in order to determine index bits, be necessary to solve any uncertainty about the conditional branching step performed according to these bits by integrated circuit.Usually allow to remove these uncertainties to the observation of the current drain (currentconsumption) of integrated circuit.

based on the general introduction of the bypass analysis of the observation of current drain

Electronic package generally includes and carries out the different thousands of logic gate switched according to the computing performed.The switching of door causes measurable current drain change of very short duration (such as some nanoseconds).It should be noted that the integrated circuit obtained by CMOS technology comprises the logic gate be made up of pull-up PMOS transistor and pulldown NMOS transistor (having very high input impedance on their control gate terminal).These transistors not current sinking (during switching at it, being switched to 1 or 0 corresponding to logic node) between its drain electrode and source terminal.Thus, current drain depends on by the data of microprocessor operated and various peripheral unit: storer, the data that data or address bus circulate, cryptography accelerators etc.

Especially, the multiplying LIM of big integer has current drain signature (currentconsumption signature), and it is distinctive and different from General Logic computing.And (with the difference of LIM (a, m), a a) is that it comprises and calculates a square (a LIM ²), and LIM (a, m) comprises the product calculating a and m, this may cause two different current drain signatures.

Based on the observation to current drain, conventional bypass test process uses single energy spectrometer (SPA), differential power analysis (DPA), correlation energy analysis (CPA) or Big Mac to analyze.

based on the test process of SPA

At the Timing attacks on implementations ofDiffeie-Hellman of P.C.Kocher., RSA, DSS, and other systems, Advances in Cryptology-CRYPTO ' 96, volume 1109of Lecture Notes in Computer Science, discloses SPA in pages104-113, Springer 1996.SPA normally only needs the acquisition to single current consumption curve.Its objective is that the part by the observation consumption curve corresponding with cryptographic calculations obtains the information of the activity about integrated circuit, because current curve changes according to performed computing and the data handled.

First, SPA allows the algorithm identifying calculating and the realization implemented by integrated circuit.Test macro catches the general current drain curve of integrated circuit by measuring its current drain.When integrated circuit performs Montgomery Algorithm, as shown in Figure 2, can distinguish when each iteration of the order s of this algorithm in this general current drain curve and LIM (a, a) corresponding with the execution of LIM (a, m) consumption curve.In this consumption curve, curve C can be distinguished ₀, C ₁, C ₃... C _s'

Each consumption curve C _s'exhaustion point measured by the sample frequency determined by utilization is formed.Each consumption curve corresponds to s iteration of the step 3 of exponentiation algorithms.If curve C _s'corresponding to the execution of step 3A, then each consumption curve C _s'order s' (comprise and considered curve C with the number of times " s " of the step 3 having performed exponentiation algorithms _s'corresponding execution) between relation be provided by relational expression below:

s'＝s+H(dv-1,dv-2....dv-s-1)

If or curve C _s'corresponding to the execution of step 3B, then provided by following relational expression:

s'＝s+H(dv-1,dv-2....dv-s-1)+1

Therefore, the relation between s' and s is: the Hamming weight H (d of the part of the index d used during the previous steps that exponentiation calculates _v-1, d _v-2... .d _v-s-1) function.What represent due to Hamming weight is bit number at 1 place in the part of considered index, therefore, if the bit d used of index _v-1, d _v-2... .d _v-s-1all equal zero, then s' such as equals s or s+1.Again such as, if bit d _v-1, d _v-2... .d _v-s-1all equal 1, then s' such as equals 2s or 2s+1.

" desirable " should be considered to determine each curve C by means of only the observation of the formation to these curves based on the test process of SPA _s'whether with LIM (a, a) or the calculating of LIM (a, m) relevant.According to above-mentioned derivation method, this can allow to derive index bits value.But in order to prevent such information from spilling (" leakage "), the safety integrated circuit of latest generation is equipped with the countermeasure about fuzzy (blur) its current drain.

Thus, the test process based on SPA allows the algorithm identifying calculating and the realization implemented by integrated circuit usually, and in the general consumption curve of integrated circuit, marks the part of the curve calculated relative to mould power.But they do not allow to verify the hypothesis about the definite computing performed by integrated circuit.

The character of the computing during the process of Corpus--based Method analytical technology (such as DPA or CPA) is thus developed to be identified at steering index.

based on the test process of DPA

By P.C.Kocher, J.Jaffe and B.Jun. is at Differential Power Analysis.Advances in Cryptology – CRYPTO ' 99, volume 1666of Lecture Notes inComputer Science, pages 388-397, Springer, DPA that is disclosed in 1999 and from then on research closely allows due to the acquisition to many consumption curve the privacy key finding cryptographic algorithm.The application of this technology of research at most up to now relates to DES algorithm, but other algorithm that this technology is also applied to encryption, deciphering or signs, and be applied to Montgomery Algorithm especially.

DPA comprises the statistical classification of current drain curve to find the information that will search for.Its based on prerequisite be: the consumption of CMOS technology integrated circuit when bit in a register or bus is switched to 1 from 0 time change, and when bit remains on 0, remains on 1 or be switched to 0 (parasitic capacitance discharge of MOS transistor) time from 1 and do not change.Alternatively, can think the consumption of CMOS technology integrated circuit when bit from 0 be switched to 1 or be switched to 0 from 1 time change, and when bit keep equal 0 or keep equal 1 time do not change.This second hypothesis allows to use normal function " Hamming distance " or " Hamming weight " to develop consumption models, and this consumption models does not require the structure will knowing integrated circuit in order to apply.

The target of DPA is to amplify this consumption difference (statistical treatment due to based on many consumption curve), its objective is the correlativity drawn between measured consumption curve and the hypothesis represented by formula.

During the acquisition stage of these consumption curve, test macro is in such a way by M random message m ₀, m ₁, m ₂..., m _r... m _m-1be applied to integrated circuit: integrated circuit calculates the message through conversion by means of its cryptographic function (it is implicit or requires to send suitable encrypted command to integrated circuit).

As shown in Figure 3, thus have collected M current drain curve C (m ₀), C (m ₁), C (m ₂) ..., C (m _r) ..., C (m _m-1)).Each in these consumption curve is all by drawing for the computing converting message by Montgomery Algorithm function performed by integrated circuit, but other computing that also can simultaneously can be performed by integrated circuit is drawn.

Due to SPA, therefore in these consumption curve, distinguish consumption curve C _s' (m ₀), C _s' (m ₁), C _s' (m ₂) ..., C _s' (m _r) ..., C _s' (m _m-1).These consumption curve correspond to the execution step of modulus-power algorithm.As indicated on, each curve of order s' corresponds to performing for the s time of the step 3 of this algorithm, and for one of M message, it relates to the bit expecting to determine the index d of numerical value.

Processing stage during, test macro estimates that at involved calculation procedure place the theoretical current of integrated circuit consumes HW (d _v-s, m _r).For the bit d of searched for index _stwo possible values at least one complete this consumption estimate.Test macro is such as configured to the theory consumption estimating that execution function LIM (a, m) means, and uses it for all value m of the message m used during obtaining _r.The consumption of this theory is such as estimated in the following manner: calculate at the Hamming weight performing the expected result after the computing corresponding with involved hypothesis.

Estimate based on current drain, consumption curve is divided into two groups of G0 and G1 by test macro:

G0={ at discussed step s place, curve C _s' (m _r) corresponding to the low consumption of integrated circuit,

G1={ at discussed step s place, curve C _s' (m _r') should the high flow rate of integrated circuit be corresponded to.

Then, test macro calculates the difference between the mean value of the curve of group G0 and G1, to obtain result curve or statistical difference component curve.

In statistical difference component curve, if consumption peaks appears at the position selecting to estimate for current drain, then test macro is derived about bit d _v-sthe hypothesis of value is correct.Thus, the computing performed by modulus-power algorithm is here LIM (a, m).If do not have consumption peaks to occur, then average value difference does not show to consume significantly poor (obtain can signal) compared with noise, and test macro can be considered complementaryly to suppose (d _v-s=0, performed computing is that LIM (a, a)) is verified, or carries out in a similar fashion to verify this hypothesis.

The shortcoming had based on the test process of DPA is the current drain curve implementing complexity and require to catch very more number.And there is hardware countermeasure (such as providing clock jitter, generation background noise etc.), this usually requires to provide preliminary signal transacting step (synchronously, noise decrease etc.) to the current drain curve for obtaining.In order to the number obtaining the current drain curve that reliable results will obtain also depends on the framework of studied integrated circuit, and can be from hundreds of curve to thousands of curves.

based on the test process of CPA

E.Brier, C.Clavier, and F.Olivier. is at Correlation Power Analysiswith a Leakage Model, Cryptographic Hardware and Embedded Systems – CHES 2004, volume 3156of Leture Notes in Computer Science, pages16-29, Springer, disclose CPA in 2004.This author suggested a kind of linear current consumption models, and the switching of this linear current consumption models hypothesis bit from 1 to 0 and bit consume the identical magnitude of current from the switching of 0 to 1.This author proposes to calculate following relative coefficient therebetween further: be the measured exhaustion point forming the consumption curve of catching on the one hand, is according to linear consumption models and the estimation consumption figures that calculates according to the supposition about the computing performed by integrated circuit on the other hand.

Fig. 4 and Fig. 5 shows the example of the CPA being applied to modulus-power algorithm.In this example embodiment, test macro seems to know: at the s time iteration place of the step 3 of modulus-power algorithm, at LIM (a, a) computing performed after (namely, the step 3A of iteration s+1 below) be again LIM (a, a), or LIM (a, m) (namely, the step 3B of the iteration of order s).

As shown in Figure 4, test macro obtains M the current drain curve C relevant with the identical iteration of algorithm _s' (m _r) (C _s' (m ₀), C _s' (m ₁) ..., C _s' (m _r) ..., C _s' (m _m)), its each corresponding to the message m being sent to integrated circuit _r(m ₀, m ₁... m _r... m _m-1).Each curve C _s' (m _r) comprise E current drain point W of the first subset defined a little ₀, W ₁, W ₂..., W _i..., W _e-1.Same curves C _s' (m _r) these point estimate to be associated with current drain.

For this reason, current drain HW is such as modeled as follows:

W＝k1*H(D⊕R)+k2

" R " is the reference state of the counter register of integrated circuit, and " D " is the value of register at the end of involved computing, and k1 is scale-up factor, and k2 represents consumed does not have associated electric current and/or noise with H (D ⊕ R).Function " H " is the Hamming distance between the value R of register and D, and it is the number (" ⊕ " represents XOR function) of the difference bit between D and R.

According to the method simplified, the reference value R of register is selected to and equals 0, thus makes the Hamming weight (bit number at the 1 place) calculating of estimated current drain point being summed up as to the result calculating described computing.For involved hypothesis, this result is such as " a*m ".Consequently estimated exhaustion point HW equals H (a*m).Therefore, the hypothesis about performed computing (such as LIM (a, m)) is transformed into the current drain estimation HW calculated by applying this linear consumption models.

As shown in Figure 4, then, test macro will form each curve C _s' different current drain point W _kagain be grouped into and vertically block (vertical transversal) subset VE _k(VE ₀, VE ₁, VE ₂..., VE _k... VE _e-1), its each include each curve C _s' those W of identical order k _k.Eachly vertically block subset VE _killustrated by vertical dotted line, and its number M equaled for carrying out the curve analyzed that counts contained.

Estimated current drain point HW _ksubset VE is blocked with vertical _keach some W _kbe associated.The point of this estimation correspond to calculate in the above described manner with the curve C belonging to this point _s' (m _r) estimation of consumption that is associated.

Vertically subset VE is blocked for each _k, then test macro calculates the some W in considered subset _kwith the exhaustion point HW of estimated associated _kbetween linear vertical relative coefficient VC _k.This relative coefficient such as equals: subset VE _kmeasured exhaustion point W _kwith the estimated exhaustion point HW be associated with the exhaustion point measured by these _kbetween covariance divided by the product of the standard deviation of these two point sets.Thus, corresponding with assessed hypothesis vertical correlation coefficient VC _kvertically subset VE is blocked with each _kbe associated.

As shown in Fig. 5 A, 5B, test macro obtains one group of vertical correlation coefficient VC thus ₀, VC ₁..., VC _k..., VC _e-1, it forms the vertical correlation curve VCC1 making the hypothesis invalid or vertical correlation curve VCC2 forming confirmation hypothesis.Curve VCC2 presents one or more obvious correlation peaks (the normalized covariance value of close+1 or-1), thus indicates the hypothesis about computing to be correct.Curve VCC1 does not present correlation peaks.If obtain correlation curve VCC2, then test procedure is inferred when obtaining curve C _s' (m ₀) to C _s' (m _m-1) time integrated circuit performing LIM (a, m), and therefore infer the bit d of Montgomery Algorithm index _sequal 1.

based on the test process of Big Mac

At the Sliding Windows Succumbs to Big Mac Attack of Colin D.Walter., Cryptographic Hardware and Embedded Systems – CHES 2001, volume2162of Lecture Notes in Computer Science, pages 286-299, Springer, 2001 and the Longer keys may facilitate side channel attacks of Colin D.Walter., Selected Areas in Cryptography, SAC 2003, volume 3006of Lecture Notesin Computer Science, pages 42-57, Springer, disclose Big Mac in 2003 to analyze.This analysis is based on the atomicity of above-mentioned large integer multiplication, namely following true: the execution of the multiplying of two big integer comprises the component x of operand x to multiplication and y _iand y _jmultiple basic multiplication x _i* y _jexecution.

Test process based on Big Mac comprises the following steps:

Will with for fixed data x _iwith the basic multiplication x of variable index j _i* y _jthe sub-curve of corresponding consumption combines, then

Calculate the mean value of the point of this little curve, to bear fruit curve to obtain, this curve that bears fruit is according to than y _jthe more apparent mode of characteristic illustrate x _icharacteristic,

Form the dictionary with the sub-curve of mean value, and afterwards,

The new sub-curve of multiplication generation is from behind identified, to infer the value by the operand handled by multiplying below thus by means of this dictionary.

the summary of known test process

As seen, the test process based on DPA and CPA requires to obtain a large amount of current drain curves.Even if based on CPA test process than the test process based on DPA more effectively and usually only to require between 100 or hundreds of consumption curve instead of thousands of to up to ten thousand curves for DPA process, the number for the curve that will obtain realizing the test process based on CPA can not be thought insignificant.

In addition, the test process based on DPA or CPA can be dealt with by the countermeasure comprising following content: use random words to shelter message m and/or masking index d.In fact, find out, the hypothesis about the consumption be associated with LIM (a, m) requires the knowledge of message m to calculate its Hamming weight.Employ sheltering of the message of random data no longer to allow estimated consumption figures to be associated to calculate weighting coefficient with measured consumption figures.

Finally, the test process based on Big Mac is difficult to realize and requires the good knowledge of integrated circuit architecture, so that exploitation comprises the dictionary in fact executing required model.The result obtained has been considered to not satisfied, and this process seems it is not the theme of known practical application.

Summary of the invention

Embodiments of the invention relate to bypass test process, and it can be applicable to mould power especially and nonexclusively and calculates, and this process implementation gets up simply and other physical characteristics any of the activity of the current drain curve of number required minimizing or expression integrated circuit.

Embodiments of the invention also relate to the bypass test process that can be applicable to integrated circuit, and this integrated circuit performs the multiplying of two binary word x and y, comprise the component x of word x and y _iwith component y _jmultiple basic multiplication step.

Embodiments of the invention also relate to the bypass test process in the industry qualification or verification process being integrated in integrated circuit, so that validation integrated circuit is to the robustness of bypass attack and it is to the resistibility of leakage of information.

Embodiments of the invention also relate to such countermeasure, that is, described countermeasure uses after allowing integrated circuit to regard as and being adapted at qualification or verification process (comprising the test process according to the embodiment of the present invention).

More particularly, embodiments of the invention relate to the process for testing integrated circuits equipment, it comprises: perform the multiplying of two binary word x and y at integrated circuit during, collect and represent that integrated circuit is to the point set of the physical characteristics of the switching of binary data, wherein, the multiplying of described two binary word x and y has the component x of word x _iwith the component y of word y _jmultiple basic multiplication step; The point set of physical characteristics is divided into multiple subsets of crosswise spots (lateral point), each subset corresponds to the component x of the order i of word x _iwith the component y of the order j of word y _jbasic multiplying; At least one formation about value x and/or value y is generally supposed; For each subset of crosswise spots, formed be associated with described general hypothesis about value x _iand/or value y _jad hoc hypothesis; For each subset of crosswise spots, calculate the estimation of the value for the physical characteristics changed with described ad hoc hypothesis, and ascribe this estimation the point of described subset and described subset to; And use the estimation of the value of physical characteristics be associated with the subset of described crosswise spots, by the subset of the step application of horizontal truncation statistical treatment in described crosswise spots, to determine that whether described general hypothesis is correct.

In one embodiment, the step of horizontal truncation statistical treatment comprises: the horizontal truncation subset forming point, its each comprise those points of the identical order of the different subsets belonging to crosswise spots; By for each horizontal truncation subset, the relative coefficient calculated between following two aspects forms the set of relative coefficient: the described point being subset on the one hand, be the specific estimation of the value of the physical characteristics be associated with each point of described subset on the other hand; And the profile (profile) of set according to relative coefficient determines that whether described general hypothesis is correct.

In one embodiment, determine whether described general hypothesis correctly comprises: in the set of described relative coefficient, search at least one correlation peaks.

In one embodiment, the step of horizontal truncation statistical treatment comprises: according to by the estimation of the value of physical characteristics of summing up, to first group, the point of the low estimation with physical characteristics is assigned to second group by the subset allocation of point estimated by the height with physical characteristics, thus by the partitions of subsets of crosswise spots in first group and second group; Calculate the mean value of the point of the identical order of each subset of first group, to obtain the first subset of equalization point; Calculate the mean value of the point of the identical order of each subset of the point of second group, to obtain the second subset of equalization point; Form the subset of difference point, the difference point that it comprises equals the difference between the point of the identical order of the first and second subsets of equalization point; And the profile of subset according to difference point, determine that whether described general hypothesis is correct.

In one embodiment, determine whether described general hypothesis correctly comprises: the one or more peak values searching for described physical characteristics in the subset of difference point.

In one embodiment, the estimation calculating the value of the physical characteristics of each subset of crosswise spots comprises: according to the ad hoc hypothesis be associated with described general hypothesis, calculate the component x along with being associated with the subset of crosswise spots _iand/or component y _jvalue and the Hamming weight of the data changed.

In one embodiment, component x _iand/or y _jthe data function of value equal one of following value: x _i, y _j, x _i* y _j, α * x _i+ β * y _j, α and β is weighting coefficient.

In one embodiment, described physical characteristics is one of following: current drain, the magnetic field of integrated circuit absorb, the electromagnetic radiation of integrated circuit, or their combination.

In one embodiment, described process comprises: if statistical treatment step allows checking, described general hypothesis is correct, then refuse described integrated circuit.

In one embodiment, described process is applied to integrated circuit, described integrated circuit comprises: the processing capacity of external data, its execution implemented is comprised at least one conditional branching step of the second step of at least first step of the multiplication forwarding binary word to or the multiplication of binary word, described conditional branching step changes according to the private data of integrated circuit; And multiplication function, this multiplication function is configured at the component x for carrying out the word be multiplied _iwith component y _jmultiple basic multiplication step in perform the multiplication step of being specified by described conditional branching; And this process comprises: described external data is addressed to described integrated circuit; In described integrated circuit, activate the processing capacity of described external data; During performing at described integrated circuit the multiplication changed according to described conditional branching, collect the described point set of physical characteristics; Formed about the value of described private data and (relevant with the value of described private data) carry out the binary word x of multiplication, the value of y at least one generally suppose; Described point set is divided into multiple subsets of crosswise spots, each subset corresponds to the component x of the order i of word x _iwith the component y of the order j of word y _jbasic multiplying; For each subset of crosswise spots, formed be associated with described general hypothesis about x _iand/or y _jthe ad hoc hypothesis of value; For each subset of crosswise spots, calculate the estimation of the value of the physical characteristics changed with described ad hoc hypothesis, and this estimation is ascribed to those points of described subset and described subset; And by using the estimation of the value of the physical characteristics be associated with the subset of described crosswise spots, by the subset of the step application of horizontal truncation statistical treatment in described crosswise spots, to determine that whether the general hypothesis of the value about described private data is correct.

In one embodiment, described process comprises: if statistical treatment step allows checking, described general hypothesis is correct, then because of could not private data described in preservation and refuse described integrated circuit.

In one embodiment, this process is applied to integrated circuit, and wherein, data processing function is Montgomery Algorithm function, and described private data is the index of Montgomery Algorithm function.

In one embodiment, this process is applied to integrated circuit, and wherein, data processing function is the cipher function comprising Montgomery Algorithm function, and described private data is the index of the described Montgomery Algorithm function of the private cipher key forming cipher function.

Embodiments of the invention also relate to a kind of system for testing integrated circuits, and it comprises: executive module, and this executive module is configured to make described integrated circuit perform the multiplying of two binary word x and y, and this multiplying comprises the component x of word x _iwith the component y of word y _jmultiple basic multiplication step; Measurement components, this measurement components be configured to multiplying the term of execution, measure and collect represent described integrated circuit to the point set of the physical characteristics of the switching of binary data; And data processor, this data processor is configured to: the multiple subsets point set of described physical characteristics being divided into crosswise spots, and each subset corresponds to the component x of the order i of word x _iwith the component y of the order j of word y _jbasic multiplying; At least one formation about value x and/or value y is generally supposed; For each subset of crosswise spots, formed be associated with described general hypothesis about value x _iand/or y _jat least one ad hoc hypothesis; For each subset of crosswise spots, calculate the estimation of the value of the physical characteristics changed according to described ad hoc hypothesis, and this estimation is ascribed to the subset of described crosswise spots and those points of described subset; And ascribed to the estimation of the value of the physical characteristics of described crosswise spots, by the subset of the step application of horizontal truncation statistical treatment in described crosswise spots, to determine that whether described general hypothesis is correct by using.

In one embodiment, this system is configured to: if statistical treatment step allows checking, described general hypothesis is correct, then refuse described integrated circuit.

In one embodiment, described measurement components is configured to one of below measurement: current drain, the magnetic field of described integrated circuit absorb, the electromagnetic radiation of described integrated circuit, or their combination.

Accompanying drawing explanation

When read in conjunction with the accompanying drawings, aforementioned summary and detailed description of the present invention below will be understood better.For the purpose of illustrating the invention, shown in the drawings of currently preferred embodiments.But should be appreciated that the present invention is not limited to shown clearly layout and means.

Below in conjunction with accompanying drawing, embodiment according to test process of the present invention and Corresponding Countermeasures thereof are described in a non-limiting manner.

In the accompanying drawings:

Fig. 1 shows the conventional architecture of safety integrated circuit;

Fig. 2 show Montgomery Algorithm the term of execution Fig. 1 the current drain curve of integrated circuit;

Fig. 3 shows the current drain curve for carrying out the conventional test process based on DPA or CPA;

Fig. 4 shows the more detailed current drain curve for carrying out the conventional test process based on CPA;

Fig. 5 A and 5B schematically shows the correlation curve provided based on the test process of CPA by routine;

Fig. 6 schematically shows the circuit being designed to perform conventional multiplication algorithm;

Fig. 7 schematically shows the embodiment according to test macro of the present invention;

Fig. 8 shows the current drain curve comprising the sub-curve of the current drain used by the test macro of Fig. 7 for realizing the process according to the embodiment of the present invention;

Fig. 9 is the more detailed view of the sub-curve of current drain and shows the step of the process according to the embodiment of the present invention;

Figure 10 is the form of the estimated value of the physical characteristics be associated with the point of the sub-curve of Fig. 9;

Figure 11 A and 11B schematically shows two correlation curve generated by the embodiment of test process according to the present invention;

Figure 12 A, 12B and 12C respectively illustrate two the mean value curves and a correlation curve that are generated by another embodiment of test process according to the present invention;

Figure 13 schematically shows and is designed to perform the multiplier circuit according to the multiplication algorithm of the embodiment of the present invention; And

Figure 14 shows the safety integrated circuit framework of the countermeasure comprised according to the embodiment of the present invention.

Embodiment

according to the general features of the test process of the embodiment of the present invention

According to the embodiment of test process of the present invention be based on the step 3A of above-mentioned exponentiation algorithms and 3B the term of execution integrated circuit the detailed inspection of current drain, and more particularly, during each in these step 3A and 3B, LIM multiplication the term of execution integrated circuit the observation of current drain.

Based on the following fact according to the embodiment of test process of the present invention: in practice, due to the size (size) of the binary word that the unit realizing these multiplication accepts, cause the multiplication LIM (a not completing big integer in a single step, a) with LIM (a, m).The unit performing multiplication is such as the arithmetic and logic unit of microprocessor, coprocessor or arithmetic accelerator.The size of computing unit reduces the computational algorithm LIM (x, y) requiring big integer x with y " segmentation " to be become the component of l reduced size, thus makes:

x＝(xl-1xl-2....x0)b

y＝(yl-1yl-2....y0)b

Xl-1, xl-2....x0 and yl-1, yl-2....y0 is with the component of " b " the operand x and y that is substrate,

Each component comprises N number of bit, and substrate b equals 2N, such as, for the computing unit of operand accepting N=32 bit, and b=232.

Operand be divided into l moiety to be make: if complete multiplication according to common method, then this multiplication comprises l ²individual basic multiplying.Table 1 below gives for the example of typical integrated circuit architecture, at size G, its component x of operand x and y _i, y _jsize N, component x for the formation of operand _i, y _jnumber l, and to the basic multiplication x included by the execution of LIM function _i* y _jnumber l ²between relation.

Table 1

Thus, by each basic multiplying x performed by multiplication algorithm LIM _i* y _jcorresponding to the sub-curve C of current drain _i,j, and this little curve together form the step 3A of exponentiation algorithms or the current drain curve of step 3B.

The horizontal truncation statistical treatment step for so sub-curve is comprised according to the test process of the embodiment of the present invention, to verify the hypothesis of those variablees about the main body as multiplication, and thus verify the hypothesis about the conditional branching causing the multiplying performed under these variablees.This process only requires to obtain single consumption curve by sending single message m to integrated circuit.

the example of the realization of test process

Below the object of the embodiment of the test process of description is: determine the secret exponent used at mould power computing interval integrated circuit.Integrated circuit is such as above custom integrated circuit CIC1 described in conjunction with Figure 1.Mould power calculated example performs according to the algorithm below already described above in this way:

Exponentiation algorithms:

Input:

"m"and"n"of integer values such that m<n

"d"an exponent of v bits such that d＝(d _v-1d _v-2....d ₀) ₂

Output:a＝m ^dmodulo n

Step 1:a＝1

Step 2:Pre-calculations of the Barrett reduction

Step 3:for s from 1to v do:

(Step 3A)a＝BRED(LIM(a,a),n)

(Step 3B)if d _v-s＝1

then a＝BRED(LIM(a,m),n)

Step 4:Return result a

As indicated on, find the bit requirement of index d to determine: whether the step 3 of this algorithm only comprises step 3A, or on the contrary, comprise step 3A and step 3B below.From the first time iteration (s=1) of step 3 to the last (s=v), allow when single current consumption curve according to the test process of the embodiment of the present invention, by the sub-curve of consumption that the basic multiplication based on the execution with intervention (intervening) LIM multiplication is corresponding, determine that the computing performed by microprocessor or coprocessor is LIM (a, a) type or LIM (a, m) type.

Still realizing example as this process, also supposing below: perform according to Academic Methods (that is, for carrying out the most frequently used method of Long-number multiplication) the multiplying LIM got involved in the execution of modulus-power algorithm.This Academic Methods is such as realized by algorithm below:

Algorithm LIM (LIM multiplication-Academic Methods):

Inputs:

x＝(x _l-1,x _l-2,...x ₀)b

y＝(y _l-1,y _l-2,...y ₀)b

Output:R＝LIM(x,y)＝x*y＝(R _2l-1R _2l-2....R ₀)b

Step 1:

For i from 0to 2l-1do:R _i＝0

Step 2:

For i from 0to l-1do:

c←0

for j from 0to l-1do:

u|v←(R _i+j+x _i*y _j)+c

R _i+j←v and c←u

R _i+l←v

Step 3:Return(R)

Wherein “ ∣ " represent the cascade of intermediate variable u and v.

Thus, the component x of big integer x, y is related to _i, y _jl ²individual iterative computation step allows the intermediate result R obtaining 2l N bit _2l-1, R _2l-2... .R ₀.They are in cascade in output register to form the end product of the multiplication of x and y.

In order to obtain better idea, the example of the multiplier hardware SMT1 that Fig. 6 shows the multiplication in order to perform two operand x and y according to above algorithm and provides.Multiplier architecture is on the model of this algorithm, and thus multiplier SMT1 comprises: receive the operand x of G bit and input buffer BX, BY of y; The output buffer BR of result R is provided; There is the multiplier MULT of the input end of two N bits and the output terminal of a 2N bit; There is the totalizer AD of the input end of a 2N bit, the input end of two N bits and the output terminal of a 2N bit; The output register of 2N bit, it comprises register Ru and Rv of the cascade of two N bits, its each for receiving intermediate variable u and v of this algorithm; And for the register Rc of the carry c that receives this algorithm.Serial device SM1 (such as state machine) provides control signal t1, t2 to these different elements ..., t9, t10 ... tn, and be configured to perform this algorithm when the STM that receives orders (" beginning multiplication ").

Impact damper BX comprises the register of l N bit, the component xl-1 of its each reception x, xl-2 ..., one of x0.Impact damper BY comprises the register of l N bit, the component yl-1 of its each reception y, yl-2 ...., one of y0.Output buffer BR comprises the register of 2l N bit, the components R 2l-1 of the multiplication result of its each reception x and y, R2l-2 ...., one of R0.Multiplier MX1, MX2 of being controlled by serial device SM1 allow one of component x _ibe applied to an input of multiplier, and by one of component y _jbe applied to another input of multiplier, this provide the result x of 2N bit _i* y _j.The output terminal of the 2N bit of multiplier MULT is linked to the input end of the 2N bit of totalizer AD.The top n bit of the output of the 2N bit of totalizer AD is applied to the input end of register Ru, and other N number of bit is applied to the input end of register Rv.The output of register Rv is applied to the input end of one of the register of impact damper BR Ri+j by the mediation of demodulation multiplexer DMX that controlled by serial device SM1.The output of one of the register of impact damper BR Ri+j is applied on the input end of N bit of totalizer by the mediation of multiplexer MX3 that controlled by serial device SM1.The input end of other N bit of totalizer is linked to the output terminal of register Rc, and the input end of register Rc is linked to the output terminal of register Ru.Serial device SM1 controls write and the reading of these the different registers for performing this algorithm.

Before utility command STM, depend on that the computing that will perform is that (a, a) or LIM (a, m), the data for being multiplied to " a with a " or " a with m " are stored in impact damper BX and BY as operand x and y LIM.In a first scenario, the register xi of impact damper BX receives the component al-1 of a, al-2 ..., a0, and the register yj of impact damper BY receives identical component.In the latter case, the register x of impact damper BX _ireceive the component al-1 of a, al-2 ..., a0, and the register y of impact damper BY _jreceive the component ml-1 of m, ml-2 ..., m0.

the acquisition of the sub-curve of current drain

The example of the integrated circuit test system that Fig. 7 shows the test process for realizing according to the embodiment of the present invention and provides.For example, this test macro of supposition is configured to the contactless integrated circuit CIC1 of test pattern 1.

This test macro comprises: chip-card readers RD (being here contactless reader); Be linked to the measuring sonde PB of measuring equipment MD (such as digital oscilloscope), to obtain the consumption curve of integrated circuit; And computation module, such as personal computer PC.Computing machine is linked to measuring equipment and card reader RD, and realizes test procedure.This test procedure comprises especially: for communicating with integrated circuit and sending program, the signal handler of message to it, and for realizing the program of the calculation procedure according to process of the present invention.

Probe PB can be current probe (such as, being placed in the resistance of the power end Vcc of integrated circuit), or is linked to the electromagnetic probe of measuring equipment by signal amplifier AMP.Alternatively, current probe can combine with electromagnetic probe.The research of electromagnetic radiation emi analysis (EMA) shows: the electromagnetic radiation of being launched by the integrated circuit worked gives the information of the switching about bit in integrated circuit, is similar to the measurement to consumed electric current.The advantage of electromagnetic probe is: it can be placed in the vicinity (near the core of such as, microprocessor or near the core of cryptographic calculations coprocessor) expecting the circuit part analyzing its function.

In addition, when contactless integrated circuit, inductance probe (it measures integrated circuit to the absorption in the magnetic field that reader is launched) can replace current probe.Such inductance probe (such as aerial coil) itself can with the part being placed in the circuit that will study near emf probe combine.

Thus, in this application, term " current drain " is used to be only for for the purpose of simple, and this term represents any physical characteristics measured like this, that is, the described change list measuring physical characteristics illustrates that the binary data in integrated circuit or in a part for studied integrated circuit switches.At the terminal place of integrated circuit or physical characteristics can be measured near the study portion of integrated circuit.

But the sample frequency of physical characteristics is sufficiently high, to collect several points to every sub-curve, such as in practice, the point between 3 and 100 is collected in every sub-curve.But it can be provided for collecting up to thousands of point every sub-curve.

As shown in Figure 8, during each iteration of step 3 performing exponentiation algorithms, current drain curve C i, j are presented to the Accurate Analysis of current drain curve C s, its each correspond to the step 3A of algorithm LIM or the execution of step 3B.By performing the mark that conventional SPA has come for the sub-curve group in general current drain curve as first step.The first mark is manually completed during the development phase of test procedure.By being provided for the time mark point marking sub-curve to test procedure, automatically subsequent identification can be completed.

Once complete this first step, then test procedure has had sub-curve below:

C0,0=calculate the sub-curve of consumption of a0*a0 or a0*m0

C0,1=calculate the sub-curve of consumption of a0*a1 or a0*m1

C0, l-1=calculate the sub-curve of consumption of a0*al-1 or a0*ml-1

…

C1,0=calculate the sub-curve of consumption of a1*a0 or a1*m0

C1,1=calculate the sub-curve of consumption of a1*a1 or a1*m1

…

C1, l-1=calculate the sub-curve of consumption of a1*al-1 or a1*ml-1

…

Ci, 0=calculate the sub-curve of consumption of ai*a0 or ai*m0

Ci, 1=calculate the sub-curve of consumption of ai*a1 or ai*m1

…

C1, l-1=calculate the sub-curve of consumption of ai*al-1 or ai*ml-1

Cl-1,0=calculate the sub-curve of consumption of al-1*a0 or al-1*m0

Cl-1,1=calculate the sub-curve of consumption of al-1*a1 or al-1*m1

…

Cl-1, l-1=calculate the sub-curve of consumption of al-1*al-1 or al-1*ml-1

Thus, test procedure has l ²individual sub-curve C 0,0 is to Cl-1, l-1 (see table 1).Then, this set application DPA or CPA of test procedure antithetical phrase curve analyzes, to determine that the computing performed by this algorithm is ai*aj type or ai*mj type.

Therefore, compared to the test process based on DPA or CPA (it requires the superposition of current drain curve and therefore can be restricted to " vertical ") of routine, can be restricted to " level " according to test process of the present invention.

based on the realization of the test process of CPA

Fig. 9 partially illustrates the execution relative to multiplication, the l of curve C s' ²individual current drain curve C i, j (C0,0, C0,1 ..., Ci, j ..., Cl-1, l-1).

Sub-curve C i, j are used for determining that modulus-power algorithm is that this multiplication algorithm of request performs computing a*a or computing a*m, and in the rank of multiplication algorithm, this will cause performing l ²individual computing ai*aj or l ²individual computing ai*mj.

In fact, if the step 3A of exponentiation algorithms calls algorithm LIM, then the input of this algorithm is:

x＝a＝(al-1al-2....a0)b

y＝a＝(al-1al-2....a0)b

And thus the step 2 of this algorithm LIM comprises calculating below:

-for j from 0to l-1do:

u|v←(Ri+j+aj*ai)+c

But if call algorithm LIM at the step 3B of exponentiation algorithms, then the input of this algorithm is:

x＝a＝(al-1al-2....a0)b

y＝m＝(ml-1ml-2....m0)b

And thus the step 2 of this algorithm LIM comprises calculating below:

-for j from 0to l-1do:

u|v←(Ri+j+aj*mi)+c

By P current drain point W0, i, j, W1, i, j, W2, i, j ..., Wk, i, j ..., WP-1, i, j form every sub-curve C i, j, and the subset of every sub-curve C i, j formation point.To notice, the point considered here is those points will used in correlation calculations below.In fact, in practice, according to the sample frequency of catching current drain point, every sub-curve can comprise point of destination most than the point for calculating.

At least one with the computing related to performed by integrated circuit of the point of identical sub-curve C i, j is supposed to be associated by test procedure.This hypothesis is selected from two possible hypothesis, and first hypothesis is that integrated circuit calculates ai*aj, and second hypothesis is that integrated circuit calculates ai*mj.

Follow the principle of above-mentioned CPA, then test procedure uses linear current consumption models the hypothesis about the computing performed by integrated circuit to be transformed into estimate current consumption value accordingly, or " correlation models ".According to the method simplified, test procedure can be configured to: by calculating the Hamming weight (bit number at 1 place) of most important variable of computing or the Hamming weight (bit number at 1 place) of the combination of most important variable considered, determine estimated current consumption value.

For example, assuming that test procedure attempts verify hypothesis ai*mj.Thus, relational expression is below used to be calculated as the value HWi of the current drain estimated by this hypothesis, j:

HWi,j＝H(mj)

Such as, other variable of this model can also be provided:

HWi,j＝H(ai*mj)

More complicated model can also be used, such as:

HWi,j＝H(α*ai+β*mj)

Wherein α and β is the weighting coefficient (after its characterization (characterization)) being set to perform the microprocessor of multiplication or the function of coprocessor.

Can notice, model HWi, j=H (ai) can not be used for verify hypothesis ai*mj, because ai item appears in two hypothesis ai*aj and ai*mj, and are not therefore effective discriminants.

To clearly be apparent that those skilled in the art, any other statistically effective model all may be used for estimating electric consumption.Especially, can use more complicated model, wherein, the value of the counter register of integrated circuit is not considered to constant, but depends on the structure of computing formerly and circuit.

It is further noted that test procedure can calculate estimated consumption figures HWi, j based on the model provided to it because variable a important ai and message m important mj be known.The value of variable a derives according to iteration (to this, test procedure has had been found that index d bit value) above, if or this be the first time iteration of modulus-power algorithm, then the value of variable a equals 1.The value of m is known, because message is by test program generation and transmission.

Then, as shown in Figure 9, test procedure define horizontal truncation subset HEk a little (HE0, HE1, HE2 ..., HEk ..., HEP-1), its each comprise those Wk, i, the j of the identical order k obtained from every sub-curve C i, j.Each horizontal truncation subset HEk is shown in Figure 9 by a dotted line, and counting of thus containing equals the number l of basic multiplying ai*mj ².

Then, estimated current drain point HWi, j and each some Wk of horizontal truncation subset HEk, i, j are associated.The point of this estimation corresponds to a kind of hypothesis (this hypothesis relates to the estimated consumption relevant with the curve C i belonging to this point, j), and calculates the point of this estimation according to mode same as described above.

Then, for each horizontal truncation subset HEk, test procedure calculates at following horizontal correlation coefficient HCk therebetween: some Wk, i, the j of the subset considered, and estimated exhaustion point HWi associated with it, j.Relative coefficient HCk such as uses relational expression below to calculate:

${\mathrm{HC}}_k=\frac{\mathrm{cov}(W_{k,i,j},{\mathrm{HW}}_{i,j})}{{\mathrm{\&sigma;}}_{\mathrm{Wk},i,j}{\mathrm{\&sigma;}}_{\mathrm{HWi},j}}$

Or:

${\mathrm{HC}}_k=\frac{l^2\mathrm{\&Sigma;}\left(W_{k,i,j}{\mathrm{HW}}_{i,j}\right)-\mathrm{\&Sigma;}{W}_{k,i,j}\mathrm{\&Sigma;}{\mathrm{HW}}_{i,j}}{\sqrt{l^2\mathrm{\&Sigma;}{W}_{k,i,j}^2-{\left(\mathrm{\&Sigma;}{W}_{k,i,j}\right)}^2}\sqrt{l^2\mathrm{\&Sigma;}{\mathrm{HW}}_{i,j}^1-{\left(\mathrm{\&Sigma;}{\mathrm{HW}}_{i,j}\right)}^2}}$

That is, some Wk, i, j and the covariance of point between HWi, j carry out normalization by their standard deviation (Wk, i, j) and the product of σ (HWi, j), and thus HCk is between-1 and+1.

Therefore, as shown in Table 2 below (and shown in Figure 10), the horizontal correlation coefficient HCk corresponding with the hypothesis that will verify and each horizontal truncation subset HEk is associated.

Table 2

As shown in Figure 11 A, 11B, thus test procedure obtains horizontal correlation curve HCC1 (it confirms studied hypothesis), or horizontal correlation curve HCC2 (its make hypothesis invalid).Curve HCC1 or HCC2 comprises relative coefficient HC0, HC1 ..., HCk ..., HCP-1.Curve HCC1 presents one or more correlation peaks (value close to+1 or-1), and curve HCC2 does not present correlation peaks.

The search of such as test procedure at least one correlation peaks is comprised to the confirmation of studied hypothesis.Search for this correlation peaks and comprise at least one relative coefficient of search, the absolute value of at least one relative coefficient described is included between minimum relatedness value HCmin and 1.This minimum relatedness value is selected enough close to 1, thus makes to there is correlativity.

If confirm to suppose (according to this hypothesis, performed computing is ai*mj) by correlation peaks, then test procedure is derived: when capturing sub-curve C 0,0 to Cl-1, l-1 of curve C s', integrated circuit is performing computing ai*mj; And derive: the bit ds of Montgomery Algorithm index is 1 (indicating the relation between s' and s above).

Can notice, the correlation curve HCC1 corresponding with correct hypothesis does not show this fact that each measured exhaustion point presents correlation peaks: some exhaustion points do not contact with the execution of the computing studied, but are related with another activity undertaken by integrated circuit while execution algorithm.

In addition, test procedure can be configured to: especially, if the first hypothesis is proved to be incorrect, so also analyzes complementary hypothesis, namely ai*aj, and thus searches at least one correlation peaks to judge whether this other hypothesis is correct.

Alternatively, test procedure can be configured to: if correlation curve does not confirm the first hypothesis, then consider that complementary hypothesis is correct.Be proven: after a period of time that test program development and current drain optimum estimate device are searched for, test procedure becomes reliable, thus makes no longer to verify these two hypothesis.

In one embodiment, by using some correlation models, such as H (mj) and H (ai*mj), can also be come to verify several times to hypothesis a*m by test procedure.

In another embodiment, following checking can be completed by reference to the point of sub-curve C s'+1 below: for the sub-curve C s' of order s', suppose that a*m is correct.Due to the structure of modulus-power algorithm, the result of previous ones is included in the variable a of iteration below.In this case, and with indicated above contrary, item ai can be the effective discriminant for estimating current drain.

based on the realization of the test process of DPA

L ²individual level consumes sub-curve C i, j and also allows technology by means of DPA type to realize test process.

This analysis requires obtaining step and treatment step.Obtaining step only comprises the single consumption curve Cs'(of acquisition and comprises sub-curve C i, j).It should be noted that under specific circumstances, this acquisition can obtain with vertical, and (requiring to send some message to integrated circuit) combines.But, due to the number very large (see above table 1) of the sub-curve that process according to the present invention provides, compared to the number of the vertical acquisition required by conventional DPA or CPA, this number vertically obtained is low.

Therefore, by the individual curves for the level of curve C s' curve C i, j not being thought to need to be classified, test procedure is to single curve C s'(Fig. 9) perform DPA treatment step.

By using the consumption models similar with the above-mentioned consumption models used based on the realization of CPA, test procedure estimates the consumption of each calculation procedure corresponding with every sub-curve.More particularly, test procedure uses sub-curve classification function f (ai, mj), such as:

The Hamming weight of one or more bits of f (ai, mj)=mj, or

The Hamming weight of one or more bits of f (ai, mj)=ai*mj, or

The Hamming weight of the Hamming weight of one or more bits of f (ai, mj)=ai and one or more bits of mj.

Then, for considered hypothesis, sub-for measured consumption curve C i, j are classified into two groups of G0 and G1 by test procedure:

-G0={ should correspond to low consumed sub-curve C i, the j} of integrated circuit at considered step ai*mj place,

-G1={ should correspond to sub-curve C i, the j} of the high flow rate of integrated circuit at considered step ai*mj place

Such as, as shown in Figure 9, shown sub-curve C 0,0 and Cl-1, l-1 are sorted in group G0, and sub-curve C 0,1 is sorted in group G1.

Then, test procedure can calculate:

(schematically showing in Figure 12 A) the first mean value curve M 0, for it, order k (M0W0, M0W1, ..., M0Wk ..., M0WP-1) each some M0Wk equal to organize all sub-curve C i of G0, the mean value of some Wk, i, the j of the identical order k of j

(schematically showing in Figure 12 B) the second mean value curve M 1, for it, order k (M1W0, M1W1, ..., M1Wk ..., M1WP-1) each some M1Wk equal to organize all sub-curve C i of G1, the mean value of some Wk, i, the j of the identical order k of j, and

(schematically showing in Figure 12 C) statistical difference component curve DM or average value difference curve, for it, order k (DW0, DW1 ..., DWk, ..., DWP-1) each some DWk equal the difference of mean value curve M 0 and point M0Wk and M1Wk of the identical order k of M1.

If in statistical difference component curve DM, one or several current drain peak values appear at the position selecting to estimate for current drain, then test procedure derives the hypothesis about index bits value is correct.Therefore, the computing performed by modulus-power algorithm is LIM (a, m).If not there is consumption peaks, then test procedure can think that complementary hypothesis (dv-s=0) is verified and performed computing is that (a a), or continues so that checking complementary hypothesis LIM in a comparable manner.

Test procedure comprises such as to the search of consumption peaks (this is equal to the search to correlation peaks when the embodiment based on CPA): to the search of difference exhaustion point DWk with the value being more than or equal to minimal consumption value DWmin.

other application of embodiments of the invention

To those skilled in the art it will be clear that, if algorithm includes the conditional branching causing performing multiplying based on nonidentity operation object, the test of the integrated circuit realizing various types of such algorithm (password or non-password, Montgomery Algorithm or non-Montgomery Algorithm) then can be applied to according to the embodiment of test process of the present invention.

Basically, embodiments of the invention can be applied to the test of the integrated circuit of the multiplication algorithm (such as COMBA or KARATSUBA multiplication, relates to the algorithm of the higher level being called multiplication algorithm by the mediation of conditional branching) achieving any type comprising multiple basic multiplication xi*yj.Embodiments of the invention can also be applied to the test of the integrated circuit employing the mould multiplication function (such as Montgomery function, Quisquater function or Sedlak ' s ZDN multiplication, it also comprises multiple basic multiplication xi*yj) comprising reduction function.

In all these application, the present invention allows to assess about the hypothesis of conditional branching, to derive the secret data that conditional branching relies on, and realizes being used for the qualification of integrated circuit or the test macro of certification.If test macro can find secret, then because could not this secret of preservation and refuse this integrated circuit.

the effect of conventional countermeasure

In order to make integrated circuit successfully can complete conventional qualification or verification process, IC designer provides countermeasure usually wherein, and wherein the most frequently used countermeasure is as follows:

I) randomization of index d:

Index d is replaced by Stochastic d', such as

d'＝d+K

K is the multiple of the rank sequence (order) of the multiplication group performing calculating wherein.Such as, when RSA Algorithm, wherein k be random number and euler's function, such as =(p-1) * (q-1), p and q are the integers making p*q=1.

Ii) the addition randomization of message m and exponentiation mould n:

Received message m is transformed into message m *, thus makes:

m*＝m+r1*n modulo r2*n

That is:

m＝m+u*n

And u=r1modulo r2, wherein r1, r2 are for random numbers different each new cryptographic calculations cycle.

Iii) the multiplication randomization of message m:

Received message m is transformed into message m *, thus makes:

m*＝re*m modulo m

Wherein r is random number and e is public index.

Seem countermeasure i) for being invalid according to the test process of the embodiment of the present invention, and only allow vertical DPA and CPA of reply.Only require single consumption curve according to test process of the present invention, and allow to find index d'.Even if be derived index d' from initial exponential d, index d' also equally with initial exponential can be used as privacy key to perform Montgomery Algorithm.

About countermeasure ii) and iii), seem equally, the test process according to the embodiment of the present invention allows to destroy such countermeasure by those hypothesis of the value about randomized message being incorporated in described hypothesis.This is due to the fact that its horizontal truncation statistical treatment based on the single consumption curve relevant with single message, instead of based on the vertical truncation of statistics in the some consumption curve relevant with some message.These countermeasures make the number doublings of hypothesis to be processed, and the execution of process of the present invention of having slowed down, but do not hinder and determine which computing integrated circuit performs, unless the number of hypothesis to be processed is too large.

suitable countermeasure

Embodiments of the invention relate to provides a kind of countermeasure, and it allows integrated circuit to be considered to use after the qualification of process comprising the embodiment of the present invention or authentication test.

Here advise by carrying out randomization to the execution sequence of basic multiplication xi*yj, thus protect multiplication algorithm for the horizontal analysis according to the embodiment of the present invention.This randomization comprises: carry out randomization to the processing sequence of xi and selected each xi kept to the processing sequence (incomplete randomization) of yj simultaneously; Or randomization (completely random) is carried out to the processing sequence of xi and the processing sequence of yj.

As the example of incomplete randomization, multiplication sequence below:

xi*y0-xi*y1-xi*y3-xi*y4...xi*yl-1

Such as (randomly) becomes:

xi*y15xi*y5xi*y18xi*yl-1...xi*y2

If complete randomization, then perform all multiplication sequence xi*yj according to random order.

The example of the randomization LIM algorithm in incomplete randomization situation:

Inputs:

x＝(xl-1,xl-2,...x0)b

y＝(yl-1,yl-2,...y0)b

Output:R＝LIM(x,y)＝x*y＝(R2l-1R2l-2....R0)b

Step 1:

Calculate or receive a permutation vectorαsuch that

α＝(αl-1,αl-2,...α0)

Step 2:

For i from 0to 2l-1do:Ri＝0

Step 3:

For h from 0to l-1do:

i←αi；c←0

for j from 0to l-1do:

u|v←(Ri+j+xi*yj)+c

as long as c is different than 0,do:

u|v←Ri+j+c

Ri+j←v and c←u

j←j+1

Step 4:Return(R)

Such randomization LIM algorithm can perform by software or by hardware circuit.

In addition, such randomization can with to component xi, component yj or both addition or subtraction shelter and combine, comprise by addition or by subtraction by component xi and/or component yj and random or pseudo random number R' or random or pseudo random number R', R " combine with two.In this case, the multiplication step xi*yj in above algorithm such as becomes:

u|v←(Ri+j+(xi-R')*yj)+c+yj*R'

Use two random number R ' and R " another example:

u|v←(Ri+j+(xi-R')*(yj-R")+c+

yj*R'xi*R"+yj*R'+R'*R"

Figure 13 shows randomization multiplier hardware SMT2, the difference of itself and multiplier SMT1 described in conjunction with Figure 6 is that it comprises serial device SM2 (state machine, micro-programmed sequence device,), serial device SM2 is configured to according to the mode just now described to perform multiplication algorithm.Namely, by the processing sequence of randomizing component xi, or by the processing sequence of randomizing component xi and the processing sequence of component yj, utilize optional addition or the subtraction randomization of these components.

Permutation vector (permutation vector) α is here random words RDM, and it is supplied to multiplier SMT2 by random external or pseudorandom words generator RGEN, but also can be generated in inside by multiplier SMT2.Other random words one or more can be provided to multiplier, if or maintain the randomization option of component xi, yj, then generate other random words one or more by multiplier.

In one embodiment, serial device SM2 is configured to provide two kinds of binding modes: conventional binding mode, and wherein it performs multiplication in a usual manner; And according to the present invention randomized binding mode.As shown in figure 13, by means of the configuration signal MODE being applied to multiplier, or by means of the mark MODE programmed in the configuration register of multiplier, binding mode is selected.

Figure 14 show portable support HD (such as plastic clip) upper arrange and the integrated circuit CIC2 be equipped with according to countermeasure device of the present invention.This integrated circuit includes the unit identical with above integrated circuit CIC1 described in conjunction with Figure 1, and is with its difference: coprocessor CP1 is replaced by the coprocessor CP2 of the randomization multiplier SMT2 including Figure 13.In another embodiment, coprocessor CP1 only comprises randomization multiplier SMT2, and is not designed to perform randomization multiplication (arithmetic accelerator).In other embodiments, coprocessor CP1 can comprise the assembly being configured to intactly perform Montgomery Algorithm function (comprising randomization multiplication), or even comprises the assembly being configured to intactly perform the cipher function comprising Montgomery Algorithm function.In yet another embodiment, randomization multiplication according to the present invention is performed by microprocessor MP.

To notice, in the present specification and claims, term " at random " or " pseudorandom " indicate evaluator or test process the unknown and for do not know integrated circuit secret people be uncertain numeral.Especially, if generate this numeral (and therefore this numeral is not random in essence) by determinacy function (it uses secret parameter to generate numeral), then this numeral is considered to " random " or " pseudorandom " in the context of this application.

It will be understood by those skilled in the art that when not deviating from the inventive concept of broad sense of the present invention, can change above-described embodiment.Therefore, should be appreciated that and the invention is not restricted to disclosed specific embodiment, and be intended to be encompassed in as claims those amendments within the spirit and scope of the present invention that define.

Claims (16)

1., for a method for testing integrated circuits equipment, it comprises:

Perform the multiplying of two binary word x and y at described integrated circuit during, collect and represent that described integrated circuit is to the point set of the physical characteristics of the switching of binary data, described multiplying comprises the multiple basic multiplication step of the component xi of word x and the component yj of word y;

The point set of described physical characteristics is divided into multiple subsets of crosswise spots, each subset corresponds to the basic multiplying of the component xi of order i of word x and the component yj of the order j of word y;

Form at least one first hypothesis about the value of word x and/or the value of word y;

For each subset of crosswise spots, formed and suppose that second of the value about component xi and/or component yj be associated supposes with described first;

For each subset of crosswise spots, calculate the estimation of the value for the physical characteristics according to described second hypothesis change, and described estimation is ascribed to the point of described subset and described subset; And

Use the estimation of the value of the physical characteristics be associated with the subset of described crosswise spots, by the subset of the step application of horizontal truncation statistical treatment in described crosswise spots, to determine whether described first hypothesis is correct.

2. method according to claim 1, wherein, the step of described horizontal truncation statistical treatment comprises:

Form the horizontal truncation subset of point, its each comprise the point of the identical order of the different subsets belonging to crosswise spots;

By calculating the relative coefficient between the point of described subset and the specific estimation of the value of physical characteristics be associated with each point of described subset for each horizontal truncation subset, form the set of relative coefficient; And

Determine whether described first hypothesis is correct according to the profile of the set of described relative coefficient.

3. method according to claim 2, wherein, determines whether described first hypothesis correctly comprises: in the set of described relative coefficient, search at least one correlation peaks.

4. method according to claim 1, wherein, the step of described horizontal truncation statistical treatment comprises:

To there is the subset allocation of the point of the low estimation of described physical characteristics to second group by the subset allocation of point estimated by the height with described physical characteristics to first group, according to by the estimation of the value of described physical characteristics of summing up, the subset of described crosswise spots is categorized in described first group and described second group;

Calculate the mean value of the point of the identical order of each subset of described first group, to obtain the first subset of equalization point;

Calculate the mean value of the point of the identical order of each subset of the point of described second group, to obtain the second subset of equalization point;

Form the subset of difference point, the difference point that it has equals the difference between the point of the identical order of the first and second subsets of equalization point; And

Determine whether described first hypothesis is correct according to the profile of the subset of described difference point.

5. method according to claim 4, wherein, determines whether described first hypothesis correctly comprises: the one or more peak values searching for described physical characteristics in the subset of described difference point.

6. according to the method one of claim 1 to 5 Suo Shu, wherein, for the estimation of the value of each subset computational physics characteristic of crosswise spots comprises: according to described first suppose to be associated second to suppose, calculate the Hamming weight of the data changed along with the value of the component xi be associated with the subset of described crosswise spots and/or component yj.

7. method according to claim 6, wherein, the data function of the value of described component xi and/or yj equals one of following value: xi, yj, xi*yj, α * xi+ β * yj, α and β is weighting coefficient.

8. according to the method one of claim 1 to 5 Suo Shu, wherein, described physical characteristics is one of following: current drain, the magnetic field of described integrated circuit absorb, and the electromagnetic radiation of described integrated circuit, or their combination.

9. according to the method one of claim 1 to 5 Suo Shu, it comprises further: if it is correct that described statistical treatment step demonstrates described first hypothesis, then refuse described integrated circuit.

10. according to the method one of claim 1 to 5 Suo Shu, the method have been applied to integrated circuit, described integrated circuit has: the processing capacity of external data, its execution is included to the conditional branching of second step of multiplication forwarding binary word x, at least first step of multiplication of y or binary word x, y to, described conditional branching changes according to the private data of described integrated circuit; And multiplication function, described multiplication function is configured to the multiplication step performed in the multiple basic multiplication step of the component xi and component yj for carrying out word x, y of being multiplied specified by described conditional branching; Described method comprises further:

Described external data is addressed to described integrated circuit;

In described integrated circuit, activate the processing capacity of described external data;

During the multiplication that described integrated circuit performs as the function of described conditional branching, collect and represent that described integrated circuit is to the point set of the physical characteristics of the switching of binary data;

Form at least one first hypothesis about following content: the value of described private data, and relevant with the value of described private data carry out the binary word x of multiplication, the value of y;

Described point set is divided into multiple subsets of crosswise spots, each subset corresponds to the basic multiplying of the component xi of order i of word x and the component yj of the order j of word y;

For each subset of crosswise spots, formed and suppose that second of the value about component xi and/or component yj be associated supposes with described first;

For each subset of crosswise spots, calculate according to described second hypothesis and the estimation of the value of the described physical characteristics of change, and this estimation is ascribed to the point of described subset and described subset; And

By using the estimation of the value of the described physical characteristics be associated with the subset of described crosswise spots, by the subset of the step application of horizontal truncation statistical treatment in described crosswise spots, to determine whether described first hypothesis of the value about described private data is correct.

11. methods according to claim 10, it comprises: if it is correct that described statistical treatment step demonstrates described first hypothesis, then because could not preservation secret data and refuse described integrated circuit.

12. methods according to claim 10, described method is applied to integrated circuit, and wherein, described data processing function is Montgomery Algorithm function, and described private data is the index of described Montgomery Algorithm function.

13. methods according to claim 10, described method is applied to integrated circuit, wherein, described data processing function is the cipher function comprising Montgomery Algorithm function, and described private data is the index of the described Montgomery Algorithm function of the private cipher key forming described cipher function.

14. 1 kinds of systems for testing integrated circuits, it comprises:

Executive module, described executive module is configured to make described integrated circuit perform the multiplying of two binary word x and y, and described multiplying comprises the multiple basic multiplication step of the component xi of word x and the component yj of word y;

Measurement components, described measurement components be configured to described multiplying the term of execution, measure and collect represent described integrated circuit to the point set of the physical characteristics of the switching of binary data; And

Data processor, described data processor is configured to:

The point set of described physical characteristics is divided into multiple subsets of crosswise spots, each subset corresponds to the basic multiplying of the component xi of order i of word x and the component yj of the order j of word y;

Form at least one first hypothesis about the value of word x and/or the value of word y;

For each subset of crosswise spots, to be formed and described first at least one supposing the value about component xi and/or component yj be associated second is supposed;

For each subset of crosswise spots, calculate along with described second hypothesis and the estimation of the value of the described physical characteristics of change, and this estimation is ascribed to the subset of described crosswise spots and the point of described subset; And

Ascribed to the estimation of the value of the described physical characteristics of described crosswise spots, by the subset of the step application of horizontal truncation statistical treatment in described crosswise spots, to determine whether described first hypothesis is correct by using.

15. systems according to claim 14, wherein, described system is configured to: if it is correct that described statistical treatment step demonstrates described first hypothesis, then refuse described integrated circuit.

16. according to the system one of claim 14 and 15 Suo Shu, and wherein, described measurement components is configured to one of below measurement: current drain, the magnetic field of described integrated circuit absorb, and the electromagnetic radiation of described integrated circuit, or their combination.